Privacy Policy

Article 1. Definitions:

The following definitions must be taken into account for the interpretation of these Policies and will be used interchangeably in singular or plural without altering their meaning:

• a) Personal information. refers to information that identifies a person, such as name, address, email address, among others. “Personal Information” does not include anonymized and/or aggregated data that does not identify a specific user. We are committed to protecting and respecting your privacy. The purpose of this privacy policy is to describe: i) The types of Personal Information we collect and how it may be used, ii) How and why we may disclose your personal information to third parties; iii) The transfer of your Personal Information; according to compliance with the Law; iv) Your right to access, correct, update and delete your Personal Information; v) The security measures we use to protect and prevent the loss, misuse or alteration of Personal Information; vi) Our retention of your Personal Information; vii) This privacy policy also covers some basic concepts of our use of cookies, for more information see our cookie policy here.

• b) Authorization. Prior, express and informed consent of the Owner to carry out the Processing of Personal Data.

• c) Personal Data Base. Organized set of Personal Data that is subject to Processing by the Controller, or whoever he or she designates, in his or her capacity as Controller and/or Processor of the Personal Data.

• d) Cookies. Information sent by the Website of the Controller and stored in the browser of the Owner who accesses and browses the website, which saves their browsing preferences.

• e) Personal Data. Any information linked or that can be associated with one or more specific or determinable natural persons. Within this typology of information, identification and contact data, data about the family group, information about health, among others, are grouped together.

• f) Public Data It is the data qualified as such according to the law or the Political Constitution of Mexico. Some examples are the marital status of the person, their profession or trade, their status as a merchant or public servant and those that can be obtained without any reservation. Due to its nature, Public Data may be contained, among others, in public records, public documents, official gazettes and bulletins, duly executed judicial rulings that are not subject to confidentiality.

• g) Sensitive Data. They are those that may affect the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, or human rights organizations. or that promote the interests of any political party, or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data.

• h) Treatment Manager or Manager. Natural or legal person, public or private in nature, who, by themselves or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller.

• i) Policies. They are the Policies and Procedures for the Processing of Personal Data adopted by the Company.

• j) Responsible for the Treatment or Responsible. Natural or legal person, public or private, who alone or in association with others, decides on the Database and/or the Processing of Personal Data.

• k) INAI. The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) is the autonomous body that ensures compliance with the laws and regulations related to the protection of personal data in Mexico.

• l) Owner. Natural person whose Personal Data is the subject of Processing and whose authorization must be collected.

• m) Transfer. The Transfer of Personal Data is the sending of Personal Data by the Controller and/or Processor to a third party located inside or outside the country and who in turn will be treated as the Controller.

• n) Transmission. Processing of personal data that involves the communication of the same inside or outside of Mexico when its purpose is to carry out a Processing by the Processor on behalf of the Controller.

• o) Treatment. Any operation or set of operations involving Personal Data, such as the collection, storage, use, circulation or deletion of Personal Data.

In compliance with Mexican laws and current international conventions regarding privacy and the processing of personal data, we actively monitor the methods of collection of your personal information and define the purposes for which we use said personal information. In accordance with applicable Legislation, these Policies incorporate the mandates contained in articles 6 and 16 of the Political Constitution of Mexico, the Federal Law on Protection of Personal Data Held by Private Parties of Mexico, the Regulations of the LFPDPPP, the Official Rules Mexican Laws (NOMs), Resolutions of the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI), General Law of Consumers and Users, Federal Consumer Protection Law, and the applicable expressions within the Commercial Code and the Code Civil Federal, as well as other applicable Mexican legal provisions regarding data protection, we act as a "data controller" within the meaning of such regulations.

The preparation and dissemination of the current Guidelines complies with the provisions of the applicable Mexican regulations. The purpose of this act is to regulate the processes of collection, management and, in general terms, the Processing of Personal Data carried out by the Controller, or the person whom it designates, with the primary objective of safeguarding and protecting the rights of the Data Controller. Owners, as well as to comply with the responsibilities stipulated by current regulations.

Article 2. Principles:

The principles detailed below make up the general scheme for compliance with the provisions enshrined in these Policies:

• a) Principle of purpose. The Treatment must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Owner.

• b) Principle of freedom. Data Processing can only be carried out with the consent of the Owner, which must be granted in advance, expressly and informed. No personal data may be collected or disclosed without proper authorization, unless there is a legal or judicial mandate that waives the need for such consent.

• c) Principle of truthfulness or quality. The information subject to Treatment must be true, complete, accurate, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.

• d) Principle of transparency. It is imperative to ensure the full exercise of the Owner's right regarding the Processing of Personal Data. In this sense, the obligation is established for the Data Controller or the Data Processor to provide the Owner, unconditionally and at any time, detailed information on the existence of Personal Data that concerns him or her. This provision safeguards the transparency and self-determination capacity of the Owner, which are fundamental in the field of data protection.

• e) Principle of restricted access and circulation. The processing of information must comply with specific restrictions, which arise both from the intrinsic nature of the personal data and from the relevant legal provisions.

• f) Security principle. As an integral part of the information processing, it imposes the obligation on the Controller or Processor to implement technical, human and administrative measures to safeguard the integrity of the records, prevent their adulteration, loss, unauthorized consultation or use or fraudulent access. adopting a comprehensive approach that guarantees adequate protection of the information subject to processing, ensuring its confidentiality and integrity against possible threats or risks.

• g) Principle of confidentiality. establishes a fundamental obligation for all persons involved in the Processing of personal data that are not public. These people are committed to ensuring the confidentiality of the information, even after concluding their relationship with the work related to the Treatment. Under this principle, the unauthorized disclosure of Personal Data is prohibited, and the provision or communication of such information is only permitted when necessary for the development of activities authorized by law and in accordance with its terms. This provision seeks to preserve the confidentiality of personal data throughout the entire process, emphasizing the continuous responsibility of those involved in its processing even after completing their participation in the tasks associated with it.

• h) Protection of Sensitive Data. The Controller will carry out the Processing of Personal Data of a sensitive nature as long as there is express authorization from the Owner of the information, which will occur after exhausting the special procedure for its collection in the terms of current legislation.

• i) ARCO Rights. Owners have Access, Rectification, Cancellation and Opposition (ARCO) rights to control their personal data.

• j) Data Protection of Minors These Policies will take into account the prevailing rights of minors, providing special protection to their fundamental rights in accordance with the Political Constitution of Mexico.

Paragraph:Access to the services provided by BUSINESS SHOP A&A and its subsidiaries is reserved exclusively for people of legal age. BUSINESS SHOP A&A is committed to applying best practices in order to prevent access to the website and its services by minors. The company does not support nor encourage the use of such services by minors.

Article 3. Databases.

The policies and procedures on which the Controller carries out the Treatment are subject to registration in the National Registry of Personal Data (RNBD) through the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI), which is the authority in charge of supervising compliance with the LFPDPPP, and the other rules that regulate, modify or compile it.

Article 4. Obligations of the Data Controller.

The Responsible Party will comply with the following obligations:

4.1.Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data contained in the regulations mentioned in Article 1 of these Policies.

4.2.Request and keep, under the conditions provided for in the applicable regulations, a copy of the respective Authorization granted by the Owner.

4.3.Duly inform the Owner about the purpose of the collection of Personal Data and the rights granted to him by virtue of the Authorization granted.

4.4.Preserve and store the Personal Data provided under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

4.5.Guarantee that the information provided to the Data Processor, as the case may be, is true, complete, accurate, updated, verifiable and understandable.

4.6.Update the information, communicating in a timely manner to the Data Processor, all the news regarding the Personal Data that has previously been provided to it and adopt the necessary measures so that the information provided to it remains updated.

4.7.Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor.

4.8.Provide the Data Processor, as the case may be, only Personal Data whose Processing is previously authorized in accordance with the provisions of the applicable regulations.

4.9.Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's Personal Data.

4.10.Process queries and claims made by the Owners in the terms indicated in these Policies and in the law.

4.11.Inform the Data Processor at all times of respect for the security and privacy conditions of the Owner's information.

4.12.Process queries and claims formulated in the terms indicated in the ARCO rights and those enshrined in these Policies.

4.13.Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed.

4.14.Inform, at the request of the Owner, about the Treatment that is being given to their Personal Data.

4.15.Inform the data protection authority when there are violations of security codes and there are risks in the administration of the Personal Data of the Owners.

4.16.Comply with the instructions and requirements given by the INAI regarding the protection of Personal Data.

Article 5. Obligations of the Data Processor.

The subjects who are designated as Managers will comply with the following obligations:

5.1.Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data.

5.2.Maintain the information under the security conditions necessary to prevent its adulteration, loss, unauthorized or fraudulent consultation, use or access.

5.3.Timely update, rectify or delete Personal Data in accordance with the law.

5.4.Update the information reported by the Data Controller within the following fifteen (15) business days from receipt.

5.5.Process queries and claims made by the Owners in the terms indicated in the Policies and in the law.

5.6.Register in the Personal Data Base the legend “claim in process” in the manner regulated by law, with respect to those queries, complaints or unresolved claims that have been presented by the Holders of the Personal Data.

5.7.Note in the Personal Data Base the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of the Personal Data.

5.8.Refrain from circulating information that is being controversial by the Owner and whose blocking has been ordered by the INAI.

5.9.Allow access to information only to people who can have access to it.

5.10.Inform the INAI when violations of security codes occur and there are risks in the administration of the owners' information.

5.11.Comply with the instructions and requirements issued by the INAI.

Article 6. Collection and use of personal information

We collect the following personal information:

6.1.Contact information, such as first name, last name, date of birth, address, email address, social media accounts.

6.2.Account information, such as username and password.

6.3.Identity verification information, such as images of your government-issued identification, passport, national identification card, driver's license, or other documents requested by our compliance department; or that is necessary for KYC or AML validation.

6.4.Biometric information or data related to unique physical characteristics, such as fingerprints, particular or specific facial features, as well as voice and other unique physical data.

6.5.Residency verification information, such as utility bill details or similar information.

6.6.Information about the computer or mobile device you use to access our website, including hardware model, operating system and version, the web browser you use, IP addresses and other device identifiers.

6.7.Website usage information, server log information, which may include (but is not limited to) your login details, the date and time of visits, the pages viewed, your IP address, the time you happens on our website and the websites you visit just before and just after our website.

6.8.Bandwidth upload and download speeds, the amount of free and used storage space on your device, and other statistics about your device.

6.9.Blockchain data. Public blockchain data, including blockchain addresses and cryptoasset transaction information related to those blockchain addresses.

6.10.Information added. Analysis about aggregate numbers of users and types of usage (i.e. number of page views, event counts, and aggregate acquisition metrics) and information such as how many users in total are using certain protocols with the help of the Services; and aggregate location data between users, including the countries and regions from which users access the Services or the Site.

We may automatically capture, store and process information about you, even if you abandon completing an online application or registration form.

Article 7. How we use your personal information.

We may use your personal information to:

7.1.Process your transactions. We will process your personal information only for the purposes for which it has been provided to us.

7.2.Comply with our legal or regulatory requirements.

7.3.Verify your identity in accordance with applicable law, as well as address other law enforcement needs. We may also share your information with other financial institutions and tax authorities if such actions are required of us under applicable law.

7.4.Detect, investigate and prevent fraudulent transactions or unauthorized or illegal activities.

7.5.Protect our rights and property.

7.6.Personalize your Service experience, carry out commercial segmentation analysis, satisfaction surveys of the services of the Controller, related companies and their commercial allies, send commercial information through email, telephone, cell phone, text messages, instant messaging, and through physical and electronic mechanisms, use of the information by the commercial force of the Controller, the companies linked to it or third parties allied to it, to develop documentary activities, customer service, marketing activities, business intelligence, to the development of new products and services, for the management and development of products in the pre-contractual, contractual and post-contractual stage, offer and provision of activities related to digital wallet, Fintech products, services through the Controller's APP and all the services that make up the product portfolio of the Controller, related companies and allied third parties.

7.7.Analyze the use, improvements and offers of the website. Analyze and track data to determine the usefulness or popularity of certain content and to better understand the online activity of our website users.

7.8.Help respond to your customer service requests and support needs, respond to your inquiries, or respond to a communication from you.

7.9.Contact you about the Services. The email address you provide may be used to communicate information and updates related to your use of the Services. From time to time, we may also communicate technical notices, support or administrative notifications, company news, updates, promotions and information related to similar products and Services provided by us.

7.10.Administer a contest, promotion, survey or other features, as will be explained in more detail on the website.

7.11.Link, connect or combine the Personal Information we collect from or about you with other Personal Information.

7.12.The linking of the Owner to the Controller's company, for the creation of simplified, ordinary deposit accounts and for the use of the services offered by it, the related companies and allied third parties.

7.13.Processing of PQRs related to the products and services offered by the Controller and the Processing of the Owner's Personal Data.

7.14.Participation in selection processes that could eventually be carried out by the Controller to evaluate the existence of an employment relationship.

7.15.Payroll management, admission processes and selection of personnel of the Controller or third parties, linkage to the social security system in favor of the Owner and his family members, occupational health, safety at work, feeding of the information required by the systems health and social security management, and to establish contact with former employees.

7.16.Admission, selection and linking processes of contractors, suppliers and clients of the Responsible Party, achieving efficient communication with the parties involved in the contracts signed in the development of the corporate purpose of the Controller, and management and sending of communications for information purposes, for the development of marketing and advertising campaigns.

7.17.The Controller may use the Personal Data provided for the purposes of carrying out training activities in favor of the Owners.

7.18.Use Personal Data to establish contact and to offer information about the service portfolio of the Controller, related companies or allied third parties.

7.19.Carry out any other purpose or reason for which the Information was collected.

We do not track the behavior of a customer's activities on other websites, nor do we allow the collection of data from third parties through our services.

If you wish to stop receiving marketing communications from us, please contact us at privacy@businessshop.aito unsubscribe.

Article 8. Transmission of Personal Data.

For the Transmission of the Personal Data of the Owners, as well as for any Transmission that the Controller makes for the fulfillment of the purposes of the Treatment or to delegate the Treatment to a third party who becomes the Processor, the Controller will take all the measures that are necessary to guarantee compliance with these Policies, as well as to guarantee the Owner the exercise of their rights. The Owner authorizes the Controller to carry out the Transmission of his Personal Data, inside or outside the national territory, which will be carried out guaranteeing the necessary conditions to safeguard the integrity of the information.

Article 9. Transfer of Personal Data.

In the event that the Controller temporarily or permanently transfers the Personal Data to a third party, inside or outside the country, in which case said third party will become the Controller of the Personal Data Processing, it will take the necessary measures to preserve the rights. of the Holders during the Transfer. The Owner Authorizes the Controller to carry out the Transfer of your Personal Data, within or outside the national territory, which will be carried out guaranteeing the necessary conditions to safeguard the integrity of the information.

Article 10. Cases of Transfer and/or Transmission of Personal Data.

For the fulfillment of the services provided by the Controller, it may be necessary that the Personal Data belonging to the Owners be Transmitted and/or Transferred, inside or outside the country, to the companies that make up the business group to which the Controller belongs or to third parties. allies duly authorized for your Treatment. In cases in which the Transmission and/or Transfer of Personal Data occurs, these will be sent to the Databases of companies that have an adequate level of security for the protection of Personal Data.

The Controller will keep published on its Website the companies and companies of the business group to which it belongs, which may be recipients of the Personal Data that the Controller communicates to them, which will be done in response to the authorization provided by the Owners of the information and the purposes by these consented for their treatment. For cases of Transfer and/or Transmission of Personal Data, the Controller will take the necessary measures so that the processing of the information made by third parties is carried out based on the purposes authorized by the Owners, under strict confidentiality and security measures. of the information and in accordance with the requirements that the applicable legislation imposes for this type of Treatment.

Article 11. Disclosure and transfer of personal information.

We may disclose your personal information to third parties and legal and regulatory authorities, and transfer your personal information as described below:

11.1.Disclosures to Third Parties.

In processing your transactions, we may share some of your personal information with our third-party service providers who assist with our business operations. Your information will not be sold, traded or shared with third parties without your consent, except to provide Services or as required by law. By using the Website or Services, you agree to the disclosure of your personal information as described in this privacy policy. Non-personally identifiable visitor information may be provided to third parties for marketing, advertising, or other uses. Our third-party service providers are contractually obligated to protect and use such information only for purposes for which it was disclosed, except as otherwise required or permitted by law. We ensure that such third parties are subject to terms no less protective than those described in this Privacy Policy, or those to which we are subject under applicable data protection laws.

11.2.Disclosures to Legal Authorities.

We may share your personal information with law enforcement agencies, data protection authorities, government officials and other authorities when:

• 11.2.1Compelled by subpoena, court order, judgments or other legal process.

• 11.2.2We believe disclosure is necessary to prevent physical harm or financial loss.

• 11.2.3Disclosure is necessary to report suspected illegal activity.

• 11.2.4Detect, investigate and prevent fraudulent transactions or unauthorized or illegal activities.

• 11.2.5The disclosure is necessary to investigate violations of this privacy policy or any agreement we have with you.

11.3.International transfers of personal information.

We store and process your personal information in data centers around the world, wherever our facilities or service providers are located. As such, we may transfer your personal information between such data centers. Such transfers are made in accordance with our legal and regulatory obligations and are carried out only through protected channels.

11.4.Another circumstance for the disclosure of personal information.

We may also disclose your personal information in the following circumstances:

• 11.4.1With your consent or under your instructions. Certain information you may choose to share may be displayed publicly, such as your username and any content you post when using interactive areas of our website such as our online forums.

• 11.4.2With our current or future parent companies, affiliates, subsidiaries, and other companies under common control or ownership with us or our offices internationally. We ensure that the listed parties are subject to terms no less protective than those described in this Privacy Policy, or those to which we are subject under applicable data protection laws.

• 11.4.3If the sharing of personal information is necessary for the protection of our rights and property, or the rights and property of current or future parent companies, affiliates, subsidiaries listed above and with other companies under common control or ownership with us or our offices .

11.5.External websites.

From time to time, the Website may provide references or links to other websites ("External Websites"). We do not control these external third-party websites or any of the content they contain. You agree that we are in no way responsible for any external websites referenced or linked from our website, including, but not limited to, website content, policies, faults, promotions, products, services or actions and/or any damages, losses, failures or problems caused by, related to, or arising from those sites. External websites have separate and independent privacy policies. We encourage you to review the policies, rules, terms and regulations of each site you visit. We seek to protect the integrity of our site and welcome any feedback regarding external website information provided on our website.

Article 12. Your rights regarding your personal information

The Owners of the Personal Data contained in the Personal Data Bases of the Controller have the following rights, which do not limit those that are enshrined in the Political Constitution of Mexico and in the law:

12.1. Right of access.The Owner has the right to obtain information regarding the Personal Data that belongs to him, know the purpose for which the Treatment is carried out, the location of the Databases that store his Personal Data and the communications and/or transfers and/or shipments that have been made regarding them.

12.2. Right to update.The Owner may update his/her Personal Data when it has undergone any variation.

12.3. Right to rectification.The Owner may modify his/her Personal Data when it turns out to be inaccurate, incomplete or non-existent.

12.4. Right of cancellation.The Owner may delete his/her Personal Data when it is excessive or not relevant for the Processing, or the Processing is contrary to the regulations, except in those cases contemplated as exceptions by law.

12.5. Right to revoke consent.The Owner may revoke the authorization or consent that enables the Owners and/or whomever they designate, to Processing for a certain purpose, except when there is a legal or contractual duty that imposes the obligation for the Personal Data to remain in the Data Bases. Data of the Responsible.

12.6. Right to file complaints and claims or take action regarding the Processing of your Personal Data.The Owner may submit complaints and claims to the INAI, or the competent entity, as well as any actions that may be relevant for the protection of their Personal Data.

12.7. Right to grant Authorization for the Processing of Personal Data.The Owner has the right to grant Authorization to the Controller, or whoever they designate, for the Processing of their Personal Data.

12.8. You have the right to withdraw consent to the processing of personal data.You can also exercise your right to be forgotten and delete your personal information from our servers. We will delete the Personal Data we process, except for those Personal Data that we are obliged to store in accordance with the requirements established by applicable legislation.

Paragraph.The exercise of these rights will be free and unlimited by the Owner of the Personal Data, without prejudice to the legal provisions that regulate their exercise, and may be exercised by the Owner or by those authorized by law, provided they demonstrate that they are empowered for such purposes.

To exercise these rights, make complaints, requests, updates or claims, contact us at privacy@businessshop.ai.

Within 15 days of receiving your written request (and in accordance with Art. 15 and 16 of these Policies), we will provide you with your personal information, including the purposes for which it was used and to whom it is provided. disclosed to you in accordance with applicable law. We reserve the right to request additional information from you, which may be necessary to be able to properly respond to your request in accordance with applicable legislation and you accept such right. Furthermore, if you wish to correct, update and block inaccurate and/or incorrect data, we have the right to request confirmation of the correct data, for example official documents containing such information.

Please note that if we are unable to verify your identity through email messages or in your request to the call center, or in the case of reasonable doubt regarding your identity, we may ask you to provide proof of identity, including by means of identification personnel with appearance in our office. This is the only way we can avoid disclosing your personal information to a person who may violate your identity.

In some cases, we will not be able to change your personal information. In particular, such case may include the event where your personal information has already been used during the execution of any agreement or transaction, or is specified in any official document, etc.

Please note that if you exercise your right to revoke consent for the processing of personal data or the right to be forgotten, we will not be able to provide you with our products or services, and we have a special right to terminate all our current agreements with you with the application of the legal consequences of such termination, and you irrevocably acknowledge such our right.

To withdraw consent to the processing of personal data and/or exercise your right to be forgotten, please contact us at privacy@businessshop.ai. Furthermore, in this case, for security reasons, we may ask you to present your identification document directly at our office.

Article 13. Security of personal information.

We use a variety of security measures to ensure the confidentiality of your personal information and to protect your personal information from loss, theft, unauthorized access, misuse, alteration or destruction. The technical and organizational measures regarding security apply to the Databases, premises, equipment, systems, programs and people involved in the Processing of Personal Data. These security measures include, but are not limited to: Password-protected directories and databases, Secure Sockets Layered (SSL) technology to ensure your information is fully encrypted and sent over the Internet securely. Limited access to servers hosting through 2FA and traffic encryption, we incorporate Know Your Customer (KYC) and Anti-Money Laundering (AML) procedures as an integral part of our security and compliance practices.

All information is transmitted exclusively through SSL technology. Access to your personal information is restricted only to authorized personnel, who are required to treat such information with the highest degree of confidentiality. Additionally, we regularly review our security measures based on the latest legal and technological developments.

The Controller has implemented the necessary technical and organizational measures to guarantee the security of the Owner's Personal Data to prevent its alteration, loss, processing or unauthorized access. The security obligation is assumed in accordance with the state of technology, the nature of the stored data and the risks to which they are exposed, all in compliance with the provisions of the regulations indicated in Article 1 of the Policies.

13.1. Safety levels in Treatment.Taking into account the nature of the information subject to Processing, the Controller will apply different levels of security to the Personal Data, according to the incidents to which they are exposed during the Processing.

13.2. Control of access to information.The Controller restricts access to Personal Data to its internal staff, for which it implements technical and organizational security measures with the purpose of preventing unauthorized persons from accessing Personal Data.

13.3. Personnel training.The Responsible Person's staff will be trained to apply the security measures adopted, providing them with the necessary information regarding security according to the functions they perform in the Responsible's company and according to the access they have to Personal Data. The Responsible Person's staff is committed to knowing and observing the security measures created and implemented for the Processing of Personal Data and in general of all the information managed by the Responsible Party.

13.4. Incident log.The Controller implements procedures to record security incidents that threaten or affect the integrity of the information managed by the company. The procedures plan to organize the information that makes up the incident, indicate the information that was affected and the effects generated on it, in accordance with the parameters defined by the law and the INAI.

Article 14. Compliance officer.

The Controller has a Compliance Officer to protect the rights of the Owners of Personal Data, whose function will be in charge of the Operations Management of the Controller. The Compliance Officer will be in charge of addressing PQRs related to the Processing of Personal Data.

If you wish to make any request related to the exercise of your rights, queries or complaints about your Data as Owner, stored in the databases managed by the Controller, we encourage you to, in the first instance, contact our Delegate. of Data Protection by emailing privacy@businessshop.ai. Likewise, the Owner has the option to exercise their rights through the Controller's website (https://www.businessshop.ai/), the Contact Center, the Controller's mobile application or at the registered office of the Controller registered in The statutes.

Article 15. Procedure for consultations.

The Owner or his successors may make queries about their Personal Data that reside in the Database, either in writing or personally through the means described in Article 14 of the Policies. Consequently, the Responsible Party, or whomever it designates, will guarantee the right of consultation, providing the Owner or his successors in title with all the information that is contained with the Owner's identification.

The query will be answered within a maximum period of fifteen (15) business days from the date of receipt. When it is not possible to attend to the query within said term, the Owner will be informed, expressing the reasons for the delay and indicating the date on which the query will be attended to, which, in no case, may exceed five (5) days. business days following the expiration of the initial term.

Article 16. Procedure for claims.

The Owner or his successors who consider that the information contained in the Database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the Personal Data Protection regulations or these Policies, you may file a claim with the Data Controller, which must include:

• a)Identification of the Owner.

• b)The description of the facts that give rise to the claim.

• c)The physical or electronic address where you wish to receive notifications about the claim made.

• d)The documents that substantiate the facts of the claim.

The claim will be made in writing addressed to the Responsible Party, or to whomever it designates, and must be sent through one of the channels indicated in Article 14 of the Policies.

If the claim is presented incompletely, the Owner or his successors in title will be required within five (5) days following receipt of the claim to complement the claim.

After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claimant has abandoned his claim.

Once the complete claim is received, a legend indicating “claim in process” and the reason for it will be included in the Database within a period of no more than two (2) business days. Said legend must be maintained until the claim is assigned.

The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

Article 17. Retention of personal information.

We retain personal information for as long as necessary to fulfill the purposes outlined in this privacy policy, subject to our own legal and regulatory obligations. In accordance with our record-keeping obligations, we will retain account and other personal information for at least five years, or as permitted by law, after termination of the respective agreement.

Article 18. Treatment in accordance with the authorization.

Unless the Owner states otherwise and/or decides to revoke the authorization granted, the Controller is authorized to process the Owner's Personal Data for the fulfillment of the purposes described.

Article 19. Confidentiality.

The Controller will protect the privacy of the information. It may happen that, by virtue of court orders or legal regulations, information must be disclosed to authorities that require it.

Article 20. Use of cookies and similar technology.

The Website uses Cookies. Cookies are small text files that are placed on your computer by websites you visit. They are widely used to make websites work or operate more efficiently, as well as to provide information to site owners. Cookies are generally stored on your computer's hard drive.

Our website uses cookies to enable you to use the website, the services we offer and the materials on the website. Cookies are also used to distinguish you from other users of our site. This helps us provide you with a good experience when you browse our site and also allows us to improve.

Article 21. Updates to this privacy policy.

This Privacy Policy may be revised, modified, updated and/or supplemented at any time, without prior notice, at our sole discretion. When we make changes to this privacy policy, we will notify all users on our website and make the modified privacy policy available on our site.

Any changes to this Privacy Policy will become effective once we post the updated terms. In all cases, your continued use of the Services or access to the Site following the posting of any updated Privacy Policy indicates your acceptance of the updated Privacy Policy.